form_input 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c46667c81eb96ef6deeaf13501e06f6bc328b862
-  data.tar.gz: e6dc22529b1fdfead38c01c5bd2d6f5b2e1fc52a
+SHA256:
+  metadata.gz: f5f2db9b4c0442f601294eda78d17eae6fa07658d746123b34904f3b436305ec
+  data.tar.gz: 3895b0ddd7f21befbb375d337a485af8c533641faa1171c1f643b14efa306fdf
 SHA512:
-  metadata.gz: 178de263faf14e4621298bfdee13025cd0852020178448f9370d4c27904c9a9a5bbad2c8fb250a55ee10051c370716f23b42eadeec89a4c157055aa12b444bf7
-  data.tar.gz: e62589e13773fd867abbd1bec66a66dad851bda8214968820348ac3566e612ffe48e702a93d1928b5f505c8b53b7d06591923a67969b19e1989979ec3bf2f275
+  metadata.gz: 6864fff3b9a98fab84caba8c5768fd7a4f56c43792e0b540b9d3a8187c5eea9290cce2d0807512c5e9839515b3b48999f1f3e78d560af81765950215c483c981
+  data.tar.gz: 1dd327e0efa4d7c940023a4eae1be1cfd357def6dfd4f432ba9f960e1f42513f5aaeb9ad13afebb6cad2a27625e15dd1abca3c597a9b205fb2bdfb28b250c9ca

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+= 1.4.0
+
+ * Dependencies were updated to support latest gems, in particular both Rack 2.x and 3.x are now supported.
+
+ * The inputs containing characters from Unicode Cf (Format) and Co (Private Use) categories are rejected as was intended.
+
+ * More robust handling of inputs with invalid encoding:
+   * Strings returned by `form_value` are now scrubbed so they don't cause errors when used in templates.
+   * The hash keys with invalid encoding are now handled properly, too.
+
 = 1.3.0
 
  * Further improvements for JSON payloads:

data/README.md

@@ -50,7 +50,7 @@ Using them in your templates is as simple as this:
   .panel-heading
     = @title = "Contact Form"
   .panel-body
-    form *form_attrs
+    form method='post' action=request.path
       fieldset
         == snippet :form_panel, params: @form.params
         button.btn.btn-default type='submit' Send
@@ -1037,7 +1037,7 @@ The `validate!` method on the other hand always invokes the validation,
 wiping any previously reported errors first.
 
 In either case any errors collected will remain stored
-until you change any of the parameter values with `set`, `clear`, or `[]=` methods,
+until you change any of the parameter values with `set`, `unset`, `clear`, or `[]=` methods,
 or you explicitly call `validate!`.
 Copies created with `dup` (but not `clone`), `only`, and `except` methods
 also have any errors reported before cleared.
@@ -1399,6 +1399,42 @@ Even the `nil` values are included for parameters which were explicitly set to `
   OptionalInput.from_data( hash: {} ).to_data       # { hash: {} }
 ```
 
+With regards to `nil` values, you may want to differentiate
+between which parameters may be set to `nil` and which not
+(in addition to parameters being required or not).
+In such case, you can extend your JSON processing class wrapping `FormInput` like this:
+
+``` ruby
+  # Like param, but the parameter may be nil (and other parameters now can't).
+  def self.param?( name, *args, &block )
+    param( name, *args, allow_nil: true, &block )
+  end
+
+  # Like normal validate, but makes sure the parameters are not nil unless allowed.
+  def validate
+    super
+    set_params.each do |p|
+      unless p[ :allow_nil ]
+        p.report( "%p is nil" ) if p.value.nil?
+      end
+    end
+    self
+  end
+```
+
+This allows you to explicitely distinguish the three most commonly used cases with ease,
+especially when combined with further parameter types and checks:
+
+``` ruby
+  param :a, INTEGER_ARGS    # When set, this must be an integer.
+  param? :b, INTEGER_ARGS   # When set, this must be nil or an integer.
+  param! :c, INTEGER_ARGS   # This must be set to an integer.
+
+  param :s                  # When set, this must be a string, albeit perhaps empty.
+  param? :t                 # When set, this must be nil or a string, including empty.
+  param! :n                 # This must be set to a non-empty string.
+```
+
 The whole JSON processing may in the end look something like this:
 
 ``` ruby
@@ -1467,6 +1503,19 @@ and keys are passed to `form_name` to create the actual name:
     input type=p.type name=p.form_name( key ) value=value
 ```
 
+Note that for your convenience,
+any strings returned by `form_value` are scrubbed of characters in invalid encoding,
+should there be any,
+which makes them guaranteed to coalesce with the form template without triggering encoding errors.
+Under normal circumstances you would never encounter such invalid inputs,
+but sometimes hackers use them to try to break the applications on purpose.
+The scrubbing thus takes care that you don't have to deal with this in templates specially if it ever happens.
+However,
+if you would for some reason ever need the `form_value` without the scrubbing applied,
+note that you can use the `url_value` method
+(used internally by `url_params` and `url_query`, see [URL Helpers](#url-helpers))
+instead.
+
 For parameters which require additional data,
 like select, multi-select, or multi-checkbox parameters,
 you can ask for the data using the `data` method.
@@ -1721,11 +1770,8 @@ For [Sinatra], the helper may look like this:
 
 ``` ruby
   # Get hash with default form attributes, optionally overriding them as needed.
-  def form_attrs( *args )
-    opts = args.last.is_a?( Hash ) ? args.pop : {}
-    url = args.shift.to_s unless args.empty?
-    fail( ArgumentError, "Invalid arguments #{args.inspect}" ) unless args.empty?
-    { action: url || request.path, method: :post }.merge( opts )
+  def form_attrs( url = request.path, **opts )
+    { action: url.to_s, method: :post }.merge( opts )
   end
 ```
 

data/form_input.gemspec

@@ -23,11 +23,13 @@ EOT
 
   s.files       = %w[ LICENSE README.md CHANGELOG.md Rakefile .yardopts form_input.gemspec ] + Dir[ '{lib,test,example}/**/*.{rb,yml,txt,slim}' ]
 
-  s.required_ruby_version = '>= 2.0.0'
-  s.add_runtime_dependency 'rack', '>= 1.5', '< 3.0'
+  s.required_ruby_version = '>= 2.1.0'
+  s.add_runtime_dependency 'rack', '>= 1.5', '< 4.0'
+  s.add_development_dependency 'rake', '~> 13.0'
   s.add_development_dependency 'bacon', '~> 1.2'
-  s.add_development_dependency 'rack-test', '~> 0.6'
-  s.add_development_dependency 'r18n-core', '~> 2.0'
+  s.add_development_dependency 'simplecov', '~> 0.21'
+  s.add_development_dependency 'rack-test', '>= 1.0', '< 3.0'
+  s.add_development_dependency 'r18n-core', '~> 5.0'
 end
 
 # EOF #

data/lib/form_input/core.rb

@@ -8,9 +8,20 @@ class FormInput
   # Default size limit applied to all input.
   DEFAULT_SIZE_LIMIT = 255
 
-  # Default input filter applied to all input.
+  # Default input filter applied to all input (unless replaced by user's filter).
   DEFAULT_FILTER = ->{ gsub( /\s+/, ' ' ).strip }
 
+  # Default match applied to all input (in addition to user's match(es)).
+  # Note that the Graph property, despite being defined as "Non-blank characters",
+  # currently includes Cf (Other: Format) and Co (Other: Private Use) categories,
+  # which include stuff like BOM or BIDI formatting and other invisible characters,
+  # which you may or may not want. To protect the innocent and prevent nasty surprises,
+  # DEFAULT_REJECT was introduced to avoid these by default, but make it possible to override.
+  DEFAULT_MATCH = /\A(\p{Graph}|[ \t\r\n])*\z/u
+
+  # Default reject applied to all input (in addition to user's reject(s)).
+  DEFAULT_REJECT = /\p{Cf}|\p{Co}/u
+
   # Minimum hash key value we allow by default.
   DEFAULT_MIN_KEY = 0
 
@@ -49,6 +60,9 @@ class FormInput
     match_msg: "%p like this is not valid",
   }
 
+  # Character used as default replacement for invalid characters when formatting values.
+  DEFAULT_REPLACEMENT_CHARACTER = '?'
+
   # Parameter options which can be merged together into an array when multiple option hashes are merged.
   MERGEABLE_OPTIONS = [ :check, :test ]
 
@@ -92,8 +106,17 @@ class FormInput
       form ? form[ name ] : nil
     end
 
+    # Make sure given string is in our default encoding and contains only valid characters.
+    def cleanup_string( string, replacement )
+      unless string.valid_encoding? && ( string.encoding == DEFAULT_ENCODING || string.ascii_only? )
+        string = string.dup.force_encoding( DEFAULT_ENCODING ).scrub( replacement )
+      end
+      string
+    end
+
     # Format given value for form/URL output, applying the formatting filter as necessary.
-    def format_value( value )
+    def format_value( value, replacement = DEFAULT_REPLACEMENT_CHARACTER )
+      value = cleanup_string( value, replacement ) if replacement and value.is_a?( String )
       if format.nil? or value.nil? or ( value.is_a?( String ) and type = self[ :class ] and type != String )
         value.to_s
       else
@@ -102,16 +125,26 @@ class FormInput
     end
 
     # Get value of this parameter for use in form/URL, with all scalar values converted to strings.
-    def form_value
+    def formatted_value( replacement = DEFAULT_REPLACEMENT_CHARACTER )
       if array?
-        [ *value ].map{ |x| format_value( x ) }
+        [ *value ].map{ |x| format_value( x, replacement ) }
       elsif hash?
-        Hash[ [ *value ].map{ |k, v| [ k.to_s, format_value( v ) ] } ]
+        Hash[ [ *value ].map{ |k, v| [ replacement ? cleanup_string( k.to_s, replacement ) : k.to_s, format_value( v, replacement ) ] } ]
       else
-        format_value( value )
+        format_value( value, replacement )
       end
     end
 
+    # Get value of this parameter for use in form, with all scalar values converted to strings.
+    def form_value
+      formatted_value
+    end
+
+    # Get value of this parameter for use in URL, with all scalar values converted to strings.
+    def url_value
+      formatted_value( nil )
+    end
+
     # Test if given parameter has value of correct type.
     def correct?
       case v = value
@@ -452,7 +485,7 @@ class FormInput
       # If there is a key pattern specified, make sure the key matches.
 
       if patterns = self[ :match_key ]
-        unless [ *patterns ].all?{ |x| value.to_s =~ x }
+        unless value.to_s.valid_encoding? and [ *patterns ].all?{ |x| value.to_s =~ x }
           report( :match_key )
           return
         end
@@ -563,7 +596,7 @@ class FormInput
         return
       end
 
-      unless value =~ /\A(\p{Graph}|[ \t\r\n])*\z/u
+      unless value =~ DEFAULT_MATCH && value !~ DEFAULT_REJECT
         report( :invalid_characters )
         return
       end
@@ -1113,15 +1146,32 @@ class FormInput
   # Get hash of all non-empty parameters for use in URL.
   def url_params
     result = {}
-    filled_params.each{ |x| result[ x.code ] = x.form_value }
+    filled_params.each{ |x| result[ x.code ] = x.url_value }
     result
   end
   alias url_parameters url_params
   alias to_params url_params
 
+  # Escape given string for use in URL query.
+  def url_escape( string )
+    URI.encode_www_form_component( string )
+  end
+
+  # Build URL query from given URL parameters.
+  def build_url_query( value, prefix = nil )
+    case value
+    when Hash
+      value.map{ |k, v| k = url_escape( k ) ; build_url_query( v, prefix ? "#{prefix}[#{k}]" : k ) }.join( '&' )
+    when Array
+      value.map{ |v| build_url_query( v, "#{prefix}[]" ) }.join( '&' )
+    else
+      "#{prefix}=#{url_escape( value )}"
+    end
+  end
+
   # Create string containing URL query from all current non-empty parameters.
   def url_query
-    Rack::Utils.build_nested_query( url_params )
+    build_url_query( url_params )
   end
 
   # Extend given URL with query created from all current non-empty parameters.

data/lib/form_input/version.rb

@@ -3,7 +3,7 @@
 class FormInput
   module Version
     MAJOR = 1
-    MINOR = 3
+    MINOR = 4
     PATCH = 0
     STRING = [ MAJOR, MINOR, PATCH ].join( '.' ).freeze
   end

data/test/helper.rb

@@ -14,7 +14,9 @@ end unless jruby?
 
 if ENV[ 'COVERAGE' ]
   require 'simplecov'
-  SimpleCov.start
+  SimpleCov.start do
+    add_filter 'bundler'
+  end
 end
 
 # EOF #

data/test/test_core.rb

@@ -115,7 +115,15 @@ describe FormInput do
     [ 'q is required', q: "\u{0000}" ],  # Because strip strips \0 as well.
     [ 'q may not contain invalid characters', q: "a\u{0000}b" ],
     [ 'q may not contain invalid characters', q: "\u{0001}" ],
-    [ 'q may not contain invalid characters', q: "\u{2029}" ],
+    [ 'q may not contain invalid characters', q: "\u{2029}" ],    # NBSP
+    [ 'q may not contain invalid characters', q: "\u{00AD}" ],    # Soft-hyphen
+    [ 'q may not contain invalid characters', q: "\u{FEFF}" ],    # BOM, ZWNBSP
+    [ 'q may not contain invalid characters', q: "\u{E000}" ],    # Private use
+    [ 'q may not contain invalid characters', q: "\u{F8FF}" ],    # Private use
+    [ 'q may not contain invalid characters', q: "\u{F0000}" ],   # Private use plane 15
+    [ 'q may not contain invalid characters', q: "\u{FFFFD}" ],   # Private use plane 15
+    [ 'q may not contain invalid characters', q: "\u{100000}" ],  # Private use plane 16
+    [ 'q may not contain invalid characters', q: "\u{10FFFD}" ],  # Private use plane 16
     [ 'email address like this is not valid', email: 'abc' ],
     [ 'email address may have at most 255 characters', email: 'a@' + 'a' * 254 ],
     [ 'email address may have at most 255 bytes', email: 'á@' + 'a' * 253 ],
@@ -1209,12 +1217,17 @@ describe FormInput do
 
   should 'handle invalid encoding gracefully' do
     s = 255.chr.force_encoding( 'UTF-8' )
+    b = s.dup.force_encoding( 'BINARY' )
 
     f = TestForm.new( query: s )
     ->{ f.validate }.should.not.raise
     f.should.not.be.valid
     f.error_messages.should == [ "q must use valid encoding" ]
-    f.param( :query ).should.not.be.blank
+    p = f.param( :query )
+    p.should.not.be.blank
+    p.should.be.invalid
+    p.form_value.should == '?'
+    p.url_value.should == s
     f.to_hash.should == { query: s }
     f.to_data.should == { q: s }
     f.url_params.should == { q: s }
@@ -1224,11 +1237,46 @@ describe FormInput do
     ->{ f.validate }.should.not.raise
     f.should.not.be.valid
     f.error_messages.should == [ "q must use valid encoding" ]
-    f.param( :query ).should.not.be.blank
-    f.to_hash.should == { query: s.dup.force_encoding( 'BINARY' ) }
-    f.to_data.should == { q: s.dup.force_encoding( 'BINARY' ) }
-    f.url_params.should == { q: s.dup.force_encoding( 'BINARY' ) }
+    p = f.param( :query )
+    p.should.not.be.blank
+    p.should.be.invalid
+    p.form_value.should == '?'
+    p.url_value.should == b
+    f.to_hash.should == { query: b }
+    f.to_data.should == { q: b }
+    f.url_params.should == { q: b }
     f.url_query.should == "q=%FF"
+
+    c = Class.new( FormInput )
+    c.hash :hsh, :h, match_key: /\A\w+\z/
+
+    f = c.new( hsh: { s => 1, 2 => s } )
+    ->{ f.validate }.should.not.raise
+    f.should.not.be.valid
+    f.error_messages.should == [ "h contain invalid key" ]
+    p = f.param( :hsh )
+    p.should.not.be.blank
+    p.should.be.invalid
+    p.form_value.should == { '?' => '1', '2' => '?' }
+    p.url_value.should == { s => '1', '2' => s }
+    f.to_hash.should == { hsh: { s => 1, 2 => s } }
+    f.to_data.should == { h: { s => 1, 2 => s } }
+    f.url_params.should == { h: { s => '1', '2' => s } }
+    f.url_query.should == "h[%FF]=1&h[2]=%FF"
+
+    f = c.new( request( "?h[%ff]=1&h[2]=%ff" ) )
+    ->{ f.validate }.should.not.raise
+    f.should.not.be.valid
+    f.error_messages.should == [ "h contain invalid key" ]
+    p = f.param( :hsh )
+    p.should.not.be.blank
+    p.should.be.invalid
+    p.form_value.should == { '?' => '1', '2' => '?' }
+    p.url_value.should == { s => '1', '2' => b }
+    f.to_hash.should == { hsh: { s => '1', 2 => b } }
+    f.to_data.should == { h: { s => '1', 2 => b } }
+    f.url_params.should == { h: { s => '1', '2' => b } }
+    f.url_query.should == "h[%FF]=1&h[2]=%FF"
   end
 
   should 'reject unexpected values in request input' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: form_input
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Patrik Rak
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-31 00:00:00.000000000 Z
+date: 2025-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -19,7 +19,7 @@ dependencies:
         version: '1.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,21 @@ dependencies:
         version: '1.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: bacon
   requirement: !ruby/object:Gem::Requirement
@@ -45,33 +59,53 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.2'
 - !ruby/object:Gem::Dependency
-  name: rack-test
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.21'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: r18n-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '5.0'
 description: |
   This gem allows you to describe your forms using a simple DSL
   and then takes care of sanitizing, transforming, and validating the input for you,
@@ -150,18 +184,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Form helper which sanitizes, transforms, validates and encapsulates web request
   input.
 test_files: []
-has_rdoc: